Announcement Announcement Module
No announcement yet.
Handling AccessDenied with Method Level Security Page Title Module
Move Remove Collapse
Conversation Detail Module
  • Filter
  • Time
  • Show
Clear All
new posts

  • sword101
    started a topic Handling AccessDenied with Method Level Security

    Handling AccessDenied with Method Level Security

    i have a method secured with spring security as follows:

        public void addUser(User user) ;
    and if a user with no enoguh permissions is trying to invoke it
    , an accessDenied exception is thrown:

    Code: Access is denied
    this is what's expected, but the question is, why the defined access-denied-handler

    in security.xml configuration file is not working :

    <access-denied-handler error-page="accessDenied"/>
    shouldn't the user gets redirected automatically to access denied page when this exception is thrown, or i have to define such behavior explicitly in code ?

    please advise.

    UPDATE: security configuration:

    <beans:beans xmlns=""  
                <!-- Enable @pre, @post spring security method level annotations -->
        	    <global-method-security pre-post-annotations="enabled" />  	
        	    <http use-expressions="true"  auto-config="true" access-denied-page="/accessDenied">
        	 <session-management session-fixation-protection="none"/>
                <remember-me  token-validity-seconds="1209600"/>
                <intercept-url pattern="/accessDenied" access="permitAll"/>        
                <intercept-url pattern="/login" access="permitAll"/>
                <intercept-url pattern="/j_spring_security_check" access="permitAll" />
                <intercept-url pattern="/faces/javax.faces.resource/**" access="permitAll" />
        		<intercept-url pattern="/xmlhttp/**" access="permitAll" />
        		<intercept-url pattern="/resources/**" access="permitAll" />		
        		<intercept-url pattern="/scripts/**" access="permitAll" />
        		<intercept-url pattern="/images/**" access="permitAll" />
        		<intercept-url pattern="/css/**" access="permitAll" />
                <!-- All pages requires authentication (not anonymous user) -->
                <intercept-url pattern="/**" access="isAuthenticated()" />
                <intercept-url pattern="/faces/**" access="isAuthenticated()" />
        	    <form-login default-target-url="/"	 
        		<logout logout-url="/logout" logout-success-url="/login" />		
        	<authentication-manager alias="authenticationManager">		 	
        	  <authentication-provider user-service-ref="userDetailsServiceImpl"/>    
    Last edited by sword101; Oct 27th, 2011, 11:21 AM.

  • sword101
    following are debugs before AccessDeniedException is thrown:

     DEBUG [http-bio-8080-exec-1] ( -'add_user')) found on specific method: public void com.myapp.service.impl.UserServiceImpl.addUser(com.myapp.domain.User) throws java.lang.Exception,
        DEBUG [http-bio-8080-exec-1] ( - Adding security method [CacheKey[com.myapp.service.impl.UserServiceImpl; public abstract void com.myapp.service.UserService.addUser(com.myapp.domain.User) throws java.lang.Exception,]] with attributes [[authorize: 'hasRole('add_user')', filter: 'null', filterTarget: 'null']]
        DEBUG [http-bio-8080-exec-1] ( - Secure object: ReflectiveMethodInvocation: public abstract void com.myapp.service.UserService.addUser(com.myapp.domain.User) throws java.lang.Exception,; target is of class [com.myapp.service.impl.UserServiceImpl]; Attributes: [[authorize: 'hasRole('add_user')', filter: 'null', filterTarget: 'null']]
        DEBUG [http-bio-8080-exec-1] ( - Previously Authenticated: org.springframew[email protected]c650d918: Principal: [email protected]: Username: [email protected]; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: access_viewUsers; Credentials: [PROTECTED]; Authenticated: true; Details: org.sprin[email protected]fffde5d4: RemoteIpAddress: 0:0:0:0:0:0:0:1; SessionId: E6BBAC0CD4499B1455227DC6035CC882; Granted Authorities: access_viewUsers
        DEBUG [http-bio-8080-exec-1] ( - Voter: org.springframewor[email protected]1d1e082e, returned: -1
        DEBUG [http-bio-8080-exec-1] ( - Voter: [email protected], returned: 0
        DEBUG [http-bio-8080-exec-1] ( - Voter: [email protected]9bf1, returned: 0
    please advise.

    Leave a comment:

  • stimpy

    in my case the access denied config is its own line not a part of the http element

    <access-denied-handler errorPage="/accessDenied" />
    When you debug do you see a request for that page ? or not at all ?

    its important to know that accessDenied acts different depending on what exactly is happening .

    So for example if you user had insufficient AUTHORITIES then you will likely get to the accessDenied page, however if your user is otherwise unauthenticated because your user details service cannot find the user then you will not get accessDenied.

    You might try throwing a break point in the o.s.s.web.access.ExceptionTranslationFilter handleException method where you can see the accessDenied filter being called. It is not called in all cases of the accessDenied exception.

    Leave a comment:

  • sword101
    i mean when accessDenied exception occur (due to user don't have permission on a service method), the exception is thrown and user is not redirected to the access denied page.

    Leave a comment:

  • stimpy

    When you say not working what do you mean ? What DOES happen ? a 403 page or ?

    I use the configuration you posted and it does work ..however Spring's use of accessDeneid has a few conditions that can be difficult.

    Leave a comment: